Vulnerability Assessment and Penetration Testing
Scenario 1: An organization develops an application and immediately deploys it without any testing. Same is true for the rest of its technical infrastructure – they are not worried about vulnerabilities or loopholes in their systems. Instead, they believe in waiting for an attack to happen so that they only spend time on resolving the issues which lead to an incident.
Scenario 2: An organization believes in the principles of DevSecOps and has implemented them adequately. As a result, vulnerability assessments and penetration testing, or VAPT, activities are performed regularly during the development as well as after the completion of development and deployment.
Out of these scenarios, some people will tend to follow the good-old first approach while many people will incline towards the second scenario as an organization now needs to be proactive while dealing with intricacies of the cyber space. It needs to be understood that security should have one of the highest priorities within an organization and an individual responsible for an organization’s information security must get a seat on the board. The important question is –
Why should an organization wait for the attackers to exploit a vulnerability when they can address it beforehand?
Vulnerability Assessment and Penetration Testing
￼Vulnerability Assessment and Penetration Testing, or as commonly referred to as VAPT, are two types of security testing activities. Both of them have their own set of strengths, and in order to achieve a thorough vulnerability analysis of the systems under the scope of testing, they are combined together. Although with a similar area of focus for both, they perform a different set of tasks while expecting an altogether different set of results.
Generally, vulnerability assessment tools only help you finding the existing vulnerabilities in your systems, applications, or infrastructure. They are not capable of differentiating between questions such as which vulnerabilities can cause damage and which cannot, which vulnerabilities are exploitable, and which are not, etc. In plain words, the most basic job for a vulnerability assessment is to find pre-existing vulnerabilities, loopholes, and slides and alert the system administrator along with the line of codes where a vulnerability actually resides. In addition, vulnerabilities found can also be presented in the form of a list made on the basis of their severity.
On the other hand, penetration testing goes beyond merely identifying a vulnerability. In a penetration test, an attacker attempts to find vulnerabilities in the given code, and he then checks how many of these vulnerabilities can be exploited. Based on the test results, the tester decides whether if there is a possibility of unauthorized access or malicious code. If there exist such chances, the testers explore the potential damage that can be done to an organization if a particular attack vector could be realized fully.
The fine difference between vulnerability assessment and penetration testing can be understood in a sense that penetration testing results demonstrate how damaging a flaw could be in a real-life attack, instead of finding all the flaws in an assessment. When both are combined into VAPT, such tools first perform a thorough vulnerability scan and then show the risks associated and possible damages if a particular vulnerability is exploited successfully.
Differences between Vulnerability Assessment and Penetration Testing
|Vulnerability Assessment||Penetration Testing|
|Result||It lists out all the existing vulnerabilities.||It is a goal-oriented exercise which simulates a real-life attack and may include exploitation of vulnerabilities found in a vulnerability assessment.|
|Focus||It focusses on individual vulnerabilities, their severity, and other details.||It focusses on how an attacker could exploit that vulnerability and quantification of damages if an attacker succeeds in exploitation.|
|Orientation||It is a type of breadth-oriented approach to security testing.||It is a type of depth-oriented approach to security testing.|
|Report||Existing vulnerabilities, their severity, changes from the last assessment, etc.||Successful exploitation, possible damages, etc.|
|Business Value||It finds the instances when equipment could be compromised.||It finds such equipment in order to identify its weaknesses and mitigate them thoroughly.|
|Our Recommended Frequency||Quarterly, and every time when new equipment is purchased, or there are significant changes in the organizational network||Half-yearly, and when there are significant changes in the organizational network|
Vulnerability Assessment and Penetration Testing: Key Differences
Vulnerability Assessment v. Penetration Testing – Which one is better?
As we saw in our last post on DAST v. SAST, both methodologies have to be implemented in order to address the security issues in an application comprehensively. Similarly, it cannot be stated that vulnerability assessment is better than penetration testing or vice versa. An organization must perform them together – VAPT – in order to get the best results possible. On an ending note, it is high time for organizations across the globe to ensure that their approach to information security falls under the second scenario, not under the first scenario.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019